-#!/bin/sh
-exec smbscript "$0" ${1+"$@"}
-/*
- provision a Samba4 server
- Copyright Andrew Tridgell 2005
- Released under the GNU GPL v2 or later
-*/
-
-options = GetOptions(ARGV,
- "POPT_AUTOHELP",
- "POPT_COMMON_SAMBA",
- "POPT_COMMON_VERSION",
- "POPT_COMMON_CREDENTIALS",
- 'realm=s',
- 'domain=s',
- 'domain-guid=s',
- 'domain-sid=s',
- 'policy-guid=s',
- 'host-name=s',
- 'host-ip=s',
- 'host-guid=s',
- 'invocationid=s',
- 'adminpass=s',
- 'krbtgtpass=s',
- 'machinepass=s',
- 'dnspass=s',
- 'root=s',
- 'nobody=s',
- 'nogroup=s',
- 'wheel=s',
- 'users=s',
- 'quiet',
- 'blank',
- 'server-role=s',
- 'partitions-only',
- 'ldap-base',
- 'ldap-backend=s',
- 'ldap-module=s',
- 'aci=s');
-
-if (options == undefined) {
- println("Failed to parse options");
- return -1;
-}
-
-libinclude("base.js");
-libinclude("provision.js");
-
-/*
- print a message if quiet is not set
-*/
-function message()
-{
- if (options["quiet"] == undefined) {
- print(vsprintf(arguments));
- }
-}
-
-/*
- show some help
-*/
-function ShowHelp()
-{
- print("
-Samba4 provisioning
-
-provision [options]
- --realm REALM set realm
- --domain DOMAIN set domain
- --domain-guid GUID set domainguid (otherwise random)
- --domain-sid SID set domainsid (otherwise random)
- --host-name HOSTNAME set hostname
- --host-ip IPADDRESS set ipaddress
- --host-guid GUID set hostguid (otherwise random)
- --policy-guid GUID set group policy guid (otherwise random)
- --invocationid GUID set invocationid (otherwise random)
- --adminpass PASSWORD choose admin password (otherwise random)
- --krbtgtpass PASSWORD choose krbtgt password (otherwise random)
- --machinepass PASSWORD choose machine password (otherwise random)
- --root USERNAME choose 'root' unix username
- --nobody USERNAME choose 'nobody' user
- --nogroup GROUPNAME choose 'nogroup' group
- --wheel GROUPNAME choose 'wheel' privileged group
- --users GROUPNAME choose 'users' group
- --quiet Be quiet
- --blank do not add users or groups, just the structure
- --server-role ROLE Set server role to provision for (default standalone)
- --partitions-only Configure Samba's partitions, but do not modify them (ie, join a BDC)
- --ldap-base output only an LDIF file, suitable for creating an LDAP baseDN
- --ldap-backend LDAPSERVER LDAP server to use for this provision
- --ldap-module MODULE LDB mapping module to use for the LDAP backend
- --aci ACI An arbitary LDIF fragment, particularly useful to loading a backend ACI value into a target LDAP server
-You must provide at least a realm and domain
-
-");
- exit(1);
-}
-
-if (options['host-name'] == undefined) {
- options['host-name'] = hostname();
-}
-
-/*
- main program
-*/
-if (options["realm"] == undefined ||
- options["domain"] == undefined ||
- options["host-name"] == undefined) {
- ShowHelp();
-}
-
-/* cope with an initially blank smb.conf */
-var lp = loadparm_init();
-lp.set("realm", options.realm);
-lp.set("workgroup", options.domain);
-lp.set("server role", options["server-role"]);
-lp.reload();
-
-var subobj = provision_guess();
-for (r in options) {
- var key = strupper(join("", split("-", r)));
- subobj[key] = options[r];
-}
-
-var blank = (options["blank"] != undefined);
-var ldapbase = (options["ldap-base"] != undefined);
-var ldapbackend = (options["ldap-backend"] != undefined);
-var ldapmodule = (options["ldap-module"] != undefined);
-var partitions_only = (options["partitions-only"] != undefined);
-var paths = provision_default_paths(subobj);
-if (options["aci"] != undefined) {
- message("set ACI: %s\n", subobj["ACI"]);
-}
-
-message("set DOMAIN SID: %s\n", subobj["DOMAINSID"]);
-
-provision_fix_subobj(subobj, paths);
-
-if (ldapbackend) {
- if (options["ldap-backend"] == "ldapi") {
- subobj.LDAPBACKEND = subobj.LDAPI_URI;
- }
- if (!ldapmodule) {
- subobj.LDAPMODULE = "entryUUID";
- }
- subobj.DOMAINDN_LDB = subobj.LDAPBACKEND;
- subobj.DOMAINDN_MOD2 = "," + subobj.LDAPMODULE + ",paged_searches";
- subobj.CONFIGDN_LDB = subobj.LDAPBACKEND;
- subobj.CONFIGDN_MOD2 = "," + subobj.LDAPMODULE + ",paged_searches";
- subobj.SCHEMADN_LDB = subobj.LDAPBACKEND;
- subobj.SCHEMADN_MOD2 = "," + subobj.LDAPMODULE + ",paged_searches";
- message("LDAP module: %s on backend: %s\n", subobj.LDAPMODULE, subobj.LDAPBACKEND);
-}
-
-if (!provision_validate(subobj, message)) {
- return -1;
-}
-
-var system_session = system_session();
-var creds = options.get_credentials();
-message("Provisioning for %s in realm %s\n", subobj.DOMAIN, subobj.REALM);
-message("Using administrator password: %s\n", subobj.ADMINPASS);
-if (ldapbase) {
- provision_ldapbase(subobj, message, paths);
- message("Please install the LDIF located in " + paths.ldap_basedn_ldif + ", " + paths.ldap_config_basedn_ldif + " and " + paths.ldap_schema_basedn_ldif + " into your LDAP server, and re-run with --ldap-backend=ldap://my.ldap.server\n");
-} else if (partitions_only) {
- provision_become_dc(subobj, message, false, paths, system_session);
-} else {
- provision(subobj, message, blank, paths, system_session, creds, ldapbackend);
- provision_dns(subobj, message, paths, system_session, creds);
- message("To reproduce this provision, run with:\n");
-/* There has to be a better way than this... */
- message("--realm='%s' --domain='%s' \\\n", subobj.REALM_CONF, subobj.DOMAIN_CONF);
- if (subobj.DOMAINGUID != undefined) {
- message("--domain-guid='%s' \\\n", subobj.DOMAINGUID);
- }
- if (subobj.HOSTGUID != undefined) {
- message("--host-guid='%s' \\\n", subobj.HOSTGUID);
- }
- message("--policy-guid='%s' --host-name='%s' --host-ip='%s' \\\n", subobj.POLICYGUID, subobj.HOSTNAME, subobj.HOSTIP);
- message("--invocationid='%s' \\\n", subobj.INVOCATIONID);
- message("--adminpass='%s' --krbtgtpass='%s' \\\n", subobj.ADMINPASS, subobj.KRBTGTPASS);
- message("--machinepass='%s' --dnspass='%s' \\\n", subobj.MACHINEPASS, subobj.DNSPASS);
- message("--root='%s' --nobody='%s' --nogroup-'%s' \\\n", subobj.ROOT, subobj.NOBODY, subobj.NOGROUP);
- message("--wheel='%s' --users='%s' --server-role='%s' \\\n", subobj.WHEEL, subobj.USERS, subobj.SERVERROLE);
- if (ldapbackend) {
- message("--ldap-backend='%s' \\\n", subobj.LDAPBACKEND);
- }
- if (ldapmodule) {
- message("--ldap-mdoule='%s' \\\n", + subobj.LDAPMODULE);
- }
- message("--aci='" + subobj.ACI + "' \\\n")
-}
-
-
-message("All OK\n");
-return 0;
+#!/usr/bin/python
+#
+# Unix SMB/CIFS implementation.
+# provision a Samba4 server
+# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2008
+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2008
+#
+# Based on the original in EJS:
+# Copyright (C) Andrew Tridgell 2005
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import optparse
+import sys
+
+# Find right directory when running from source tree
+sys.path.insert(0, "bin/python")
+
+import samba
+from samba.credentials import DONT_USE_KERBEROS
+from samba.auth import system_session
+import samba.getopt as options
+from samba.provision import provision, FILL_FULL, FILL_NT4SYNC, FILL_DRS, find_setup_dir
+
+# how do we make this case insensitive??
+
+parser = optparse.OptionParser("provision [options]")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+parser.add_option_group(options.VersionOptions(parser))
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+parser.add_option("--interactive", help="Ask for names", action="store_true")
+parser.add_option("--setupdir", type="string", metavar="DIR",
+ help="directory with setup files")
+parser.add_option("--realm", type="string", metavar="REALM", help="set realm")
+parser.add_option("--domain", type="string", metavar="DOMAIN",
+ help="set domain")
+parser.add_option("--domain-guid", type="string", metavar="GUID",
+ help="set domainguid (otherwise random)")
+parser.add_option("--domain-sid", type="string", metavar="SID",
+ help="set domainsid (otherwise random)")
+parser.add_option("--policy-guid", type="string", metavar="GUID",
+ help="set guid for domain policy")
+parser.add_option("--policy-guid-dc", type="string", metavar="GUID",
+ help="set guid for domain controller policy")
+parser.add_option("--ntds-guid", type="string", metavar="GUID",
+ help="set NTDS object GUID (otherwise random)")
+parser.add_option("--invocationid", type="string", metavar="GUID",
+ help="set invocationid (otherwise random)")
+parser.add_option("--host-name", type="string", metavar="HOSTNAME",
+ help="set hostname")
+parser.add_option("--host-ip", type="string", metavar="IPADDRESS",
+ help="set IPv4 ipaddress")
+parser.add_option("--host-ip6", type="string", metavar="IP6ADDRESS",
+ help="set IPv6 ipaddress")
+parser.add_option("--adminpass", type="string", metavar="PASSWORD",
+ help="choose admin password (otherwise random)")
+parser.add_option("--krbtgtpass", type="string", metavar="PASSWORD",
+ help="choose krbtgt password (otherwise random)")
+parser.add_option("--machinepass", type="string", metavar="PASSWORD",
+ help="choose machine password (otherwise random)")
+parser.add_option("--dnspass", type="string", metavar="PASSWORD",
+ help="choose dns password (otherwise random)")
+parser.add_option("--ldapadminpass", type="string", metavar="PASSWORD",
+ help="choose password to set between Samba and it's LDAP backend (otherwise random)")
+parser.add_option("--root", type="string", metavar="USERNAME",
+ help="choose 'root' unix username")
+parser.add_option("--nobody", type="string", metavar="USERNAME",
+ help="choose 'nobody' user")
+parser.add_option("--wheel", type="string", metavar="GROUPNAME",
+ help="choose 'wheel' privileged group")
+parser.add_option("--users", type="string", metavar="GROUPNAME",
+ help="choose 'users' group")
+parser.add_option("--quiet", help="Be quiet", action="store_true")
+parser.add_option("--blank", action="store_true",
+ help="do not add users or groups, just the structure")
+parser.add_option("--ldap-backend-extra-port", type="int", metavar="LDAP-BACKEND-EXTRA-PORT",
+ help="Additional TCP port for LDAP backend server (to use for replication)")
+parser.add_option("--ldap-backend-type", type="choice", metavar="LDAP-BACKEND-TYPE",
+ help="LDAP backend type (fedora-ds or openldap)",
+ choices=["fedora-ds", "openldap"])
+parser.add_option("--ldap-backend-nosync", help="Configure LDAP backend not to call fsync() (for performance in test environments)", action="store_true")
+parser.add_option("--server-role", type="choice", metavar="ROLE",
+ choices=["domain controller", "dc", "member server", "member", "standalone"],
+ help="The server role (domain controller | dc | member server | member | standalone). Default is standalone.")
+parser.add_option("--function-level", type="choice", metavar="FOR-FUN-LEVEL",
+ choices=["2003", "2008", "2008_R2"],
+ help="The domain and forest function level (2003 | 2008 | 2008_R2). Default is (Windows) 2003 (Native).")
+parser.add_option("--partitions-only",
+ help="Configure Samba's partitions, but do not modify them (ie, join a BDC)", action="store_true")
+parser.add_option("--targetdir", type="string", metavar="DIR",
+ help="Set target directory")
+parser.add_option("--ol-mmr-urls", type="string", metavar="LDAPSERVER",
+ help="List of LDAP-URLS [ ldap://<FQHN>:<PORT>/ (where <PORT> has to be different than 389!) ] separated with whitespaces for use with OpenLDAP-MMR (Multi-Master-Replication)")
+parser.add_option("--slapd-path", type="string", metavar="SLAPD-PATH",
+ help="Path to slapd for LDAP backend [e.g.:'/usr/local/libexec/slapd']. Required for Setup with LDAP-Backend. OpenLDAP Version >= 2.4.17 should be used.")
+parser.add_option("--setup-ds-path", type="string", metavar="SETUP_DS-PATH",
+ help="Path to setup-ds.pl script for Fedora DS LDAP backend [e.g.:'/usr/sbin/setup-ds.pl']. Required for Setup with Fedora DS backend.")
+parser.add_option("--nosync", help="Configure LDAP backend not to call fsync() (for performance in test environments)", action="store_true")
+parser.add_option("--ldap-dryrun-mode", help="Configure LDAP backend, but do not run any binaries and exit early. Used only for the test environment. DO NOT USE", action="store_true")
+
+opts = parser.parse_args()[0]
+
+def message(text):
+ """print a message if quiet is not set."""
+ if not opts.quiet:
+ print text
+
+if len(sys.argv) == 1:
+ opts.interactive = True
+
+if not opts.interactive and (opts.realm is None or opts.domain is None):
+ if opts.realm is None:
+ print >>sys.stderr, "No realm set"
+ if opts.domain is None:
+ print >>sys.stderr, "No domain set"
+ parser.print_usage()
+ sys.exit(1)
+
+if opts.interactive:
+ from getpass import getpass
+ import socket
+ def ask(prompt, default=None):
+ if default is not None:
+ print "%s [%s]: " % (prompt,default),
+ else:
+ print "%s: " % (prompt,),
+ return sys.stdin.readline().rstrip("\n") or default
+ try:
+ opts.realm = ask("Realm", socket.getfqdn().split(".", 1)[1].upper())
+ except IndexError:
+ print >>sys.stderr, "Cannot guess realm from %s" % ( socket.getfqdn())
+ sys.exit(1)
+
+ try:
+ opts.domain = ask("Domain", opts.realm.split(".")[0])
+ except IndexError:
+ print >>sys.stderr, "Cannot guess domain from %s" % ( opts.realm())
+ sys.exit(1)
+
+ opts.server_role = ask("Server Role (dc, member, standalone)", "dc")
+ for i in range(3):
+ opts.adminpass = getpass("Administrator password: ")
+ if not opts.adminpass:
+ print >>sys.stderr, "Invalid administrator password."
+ else:
+ break
+
+lp = sambaopts.get_loadparm()
+smbconf = lp.configfile
+
+if opts.server_role == "dc":
+ server_role = "domain controller"
+elif opts.server_role == "member":
+ server_role = "member server"
+else:
+ server_role = opts.server_role
+
+if opts.function_level is None:
+ dom_for_fun_level = None
+elif opts.function_level == "2003":
+ dom_for_fun_level = DS_DOMAIN_FUNCTION_2003
+elif opts.function_level == "2008":
+ dom_for_fun_level = DS_DOMAIN_FUNCTION_2008
+elif opts.function_level == "2008_R2":
+ dom_for_fun_level = DS_DOMAIN_FUNCTION_2008_R2
+
+creds = credopts.get_credentials(lp)
+
+creds.set_kerberos_state(DONT_USE_KERBEROS)
+
+setup_dir = opts.setupdir
+if setup_dir is None:
+ setup_dir = find_setup_dir()
+
+samdb_fill = FILL_FULL
+if opts.blank:
+ samdb_fill = FILL_NT4SYNC
+elif opts.partitions_only:
+ samdb_fill = FILL_DRS
+
+session = system_session()
+provision(setup_dir, message,
+ session, creds, smbconf=smbconf, targetdir=opts.targetdir,
+ samdb_fill=samdb_fill, realm=opts.realm, domain=opts.domain,
+ domainguid=opts.domain_guid, domainsid=opts.domain_sid,
+ policyguid=opts.policy_guid, policyguid_dc=opts.policy_guid_dc,
+ hostname=opts.host_name,
+ hostip=opts.host_ip, hostip6=opts.host_ip6,
+ ntdsguid=opts.ntds_guid,
+ invocationid=opts.invocationid, adminpass=opts.adminpass,
+ krbtgtpass=opts.krbtgtpass, machinepass=opts.machinepass,
+ dnspass=opts.dnspass, root=opts.root, nobody=opts.nobody,
+ wheel=opts.wheel, users=opts.users,
+ serverrole=server_role, dom_for_fun_level=dom_for_fun_level,
+ ldap_backend_extra_port=opts.ldap_backend_extra_port,
+ backend_type=opts.ldap_backend_type,
+ ldapadminpass=opts.ldapadminpass, ol_mmr_urls=opts.ol_mmr_urls,
+ slapd_path=opts.slapd_path, setup_ds_path=opts.setup_ds_path,
+ nosync=opts.nosync,ldap_dryrun_mode=opts.ldap_dryrun_mode)